Financially motivated groups like ShinyHunters and Scattered LAPSUS$ Hunters are exploiting federated SSO and SaaS trust relationships via vishing and OAuth abuse to gain persistent access, exfiltrate data at scale, and conduct delayed extortion against organizations.

CYBER INSIGHTS CYBER INSIGHTS JAN 28, 2026 JAN 28, 2026

Overview

Recent activity attributed to ShinyHunters, Scattered Spider, and the self-branded “Scattered LAPSUS$ Hunters (SLH)” highlights a sustained shift toward identity-driven intrusions targeting SaaS platforms such as Salesforce, Okta, Microsoft Entra, Google SSO, and Zendesk. These campaigns rely on vishing and real-time social engineering to coerce users into completing legitimate authentication and OAuth authorization flows, enabling attackers to gain persistent access without exploiting software vulnerabilities. The threat is significant because a single successful interaction with an employee can provide access to multiple downstream SaaS platforms through federated SSO, rapidly expanding the blast radius of a compromise. Once access is obtained, attackers enumerate connected applications, exfiltrate large volumes of customer and operational data, and later issue extortion demands, sometimes months after the initial intrusion. This activity is occurring in the wild and has impacted multiple organizations across industries, demonstrating that trust workflows and human behavior are the primary attack surface rather than platform flaws.

Key Findings:

  • Federated identity is the primary attack surface: These campaigns consistently bypass technical perimeter controls by using vishing and real-time social engineering to drive victims through legitimate sign-in and OAuth authorization flows, creating “valid” access without exploiting platform vulnerabilities.
  • SSO creates an outsized blast radius: A single compromised user or support workflow can cascade across multiple downstream SaaS platforms (Salesforce, Zendesk, and others) via federated SSO, enabling rapid privilege expansion and broad data access.
  • Abuse blends into normal operations: Attackers rely on legitimate OAuth grants, session persistence, and standard SaaS APIs to enumerate connected apps and perform bulk exports, which often evades monitoring that prioritizes failed logins or malware-based signals.
  • Extortion and branding amplify impact: The “Scattered LAPSUS$ Hunters” label functions as a federated reputation layer that increases coercion and confusion, with public claims and delayed extortion sometimes occurring months after initial access—complicating attribution, response, and customer communications.
  • Immediate Actions: Restrict Salesforce connected-app/OAuth authorization to an explicit allowlist and trigger immediate review of any new app authorization or token grant events. Harden help-desk and support workflows with mandatory secondary verification for account recovery, resets, and sensitive access actions to neutralize vishing-driven impersonation.

1.0 Threat Overview

Scattered LAPSUS$ Hunters emerged publicly in early August 2025 as a hybrid brand that appropriates naming and reputational elements from Scattered Spider, ShinyHunters, and LAPSUS$. Trustwave SpiderLabs assesses SLH as a situational alliance or brand container rather than a formal merger, with Telegram serving as the primary platform for narrative construction, coordination, and extortion signaling. Channels associated with SLH have been repeatedly removed and re-created, reflecting both platform moderation and the group’s emphasis on persistent public presence.

Parallel reporting throughout 2025 and early 2026 documents ShinyHunters’ evolution from mass data theft toward targeted cloud and SaaS extortion, with Salesforce repeatedly identified as a core objective. Incidents such as the disputed Resecurity “breach” illustrate how the group emphasizes public claims and coercive narratives, even when the underlying access involves synthetic or honeypot data, reinforcing that perception management is a core component of operations. Additionally, ShinyHunters and associated actors are conducting human-operated social engineering campaigns that exploit trust in identity and support workflows to access enterprise SaaS environments. These campaigns do not rely on vulnerabilities in Salesforce, Okta, Microsoft, Google, or Zendesk; instead they manipulate users into authorizing access or completing authentication on behalf of the attacker. Once inside, the attackers leverage legitimate access paths to harvest data at scale and monetize intrusions through extortion. The SLH branding layer adds reputational leverage and visibility, enabling multiple actors to claim affiliation and amplify perceived impact.

1.1 Threat Actor Breakdown

LAPSUS$ is included in this section for contextual purposes only. While LAPSUS$ was an active and distinct cybercriminal group during 2021–2022, it is assessed as largely disrupted following law enforcement action. References to LAPSUS$ within the “Scattered LAPSUS$ Hunters” label reflect reputational reuse rather than operational continuity. There is no evidence that original LAPSUS$ operators are directly conducting the Salesforce or SaaS-focused campaigns described in this report.

The activity described in this report is not driven by a single, unified threat actor, but by a combination of operational groups and a federated branding construct. ShinyHunters and Scattered Spider are responsible for the execution of social engineering, identity compromise, and SaaS data theft, while the “Scattered LAPSUS$ Hunters” label functions primarily as a public-facing identity used to amplify extortion pressure and obscure attribution. This separation between execution and branding is a defining characteristic of the campaign.

ShinyHunters appears to play a central role in Salesforce-focused operations, demonstrating a consistent pattern of vishing-led access, OAuth abuse, and delayed extortion. Scattered Spider exhibits overlapping tradecraft, particularly around identity compromise and helpdesk impersonation, and is assessed as a likely collaborator or shared-resource peer rather than a subordinate entity. The SLH designation, meanwhile, operates as a narrative container that aggregates reputational capital from multiple well-known groups, increasing visibility and coercive leverage without clear evidence of centralized command or control.

Understanding these roles is critical for incident response and threat assessment. Public breach claims associated with the SLH label may not accurately reflect the scope or impact of an intrusion, and attribution should be based on observed tradecraft and telemetry rather than branding alone. Organizations responding to incidents linked to this ecosystem should therefore focus on identity abuse patterns and access pathways, rather than attempting to attribute activity solely based on actor naming.

SaaS-Targeting Extortion Groups - Threat Actor Profiles
ShinyHunters (UNC6040)
Emergence Date: 2020
Attribution
Financially motivated extortion group; pivoted from mass data theft to SaaS targeting
Recent Activities
Claimed responsibility for vishing campaigns against Okta, Microsoft Entra, and Google SSO; identified Salesforce as a primary target
Targets
Salesforce; SaaS platforms reachable via SSO
ShinyHunters UNC6040 Financially Motivated Vishing Campaigns SaaS Targeting Salesforce Okta Microsoft Entra Google SSO
Scattered Spider (UNC3944)
Emergence Date: 2022
Attribution
Loosely organized cybercriminal cluster tied to "The Com" ecosystem
Recent Activities
Continued social engineering activity and overlap with Salesforce-focused campaigns despite prior arrests
Targets
Large enterprises in telecom, retail, finance, and cloud-heavy sectors
Scattered Spider UNC3944 The Com Ecosystem Social Engineering Salesforce Campaigns Active Despite Arrests Telecom Retail Finance Cloud-Heavy Sectors
LAPSUS$
Emergence Date: 2021
Attribution
Historically distinct cybercriminal group; largely disrupted after 2022 arrests
Recent Activities
No confirmed independent activity since 2022; name reused for intimidation and branding
Targets
Technology firms and large enterprises
LAPSUS$ Disrupted 2022 No Independent Activity Name Reused Intimidation Branding Technology Firms Large Enterprises
Scattered LAPSUS$ Hunters (SLH)
Emergence Date: 2025
Attribution
Federated extortion brand combining ShinyHunters, Scattered Spider, and LAPSUS$ reputations
Recent Activities
Linked to Salesforce and Zendesk campaign signaling and sustained public extortion messaging
Targets
Salesforce customers (claimed); SaaS and support platforms including Zendesk
Scattered LAPSUS$ Hunters SLH Federated Brand Combined Reputations Public Extortion Campaign Signaling Salesforce Customers Zendesk SaaS Platforms Support Platforms

2.0 Conditions Enabling Compromise

ShinyHunters’ Salesforce intrusions do not rely on software vulnerabilities or exploitation of platform flaws. Instead, successful compromise depends on a combination of identity trust assumptions, OAuth governance gaps, and human susceptibility to social engineering. When these conditions are present, attackers can obtain persistent, legitimate access to Salesforce environments without triggering traditional security controls, enabling large-scale data exfiltration and delayed monetization.

Salesforce-Targeting Attack Preconditions
User Susceptibility to Vishing and Impersonation
Employees can be contacted directly by phone and are accustomed to remote IT support interactions.
Attackers successfully impersonate internal IT or Salesforce support, creating urgency around account issues or data access.
Users are willing to follow verbal instructions to authorize applications or perform account actions without secondary verification.
Vishing Phone Contact IT Impersonation Salesforce Support Impersonation Urgency Creation Verbal Instructions No Secondary Verification
Permissive OAuth and Connected App Governance
Salesforce environments allow users to authorize connected apps without strict administrative pre-approval.
OAuth scopes such as refresh_token and full API access can be granted to third-party apps without sufficient scrutiny.
Connected apps are not routinely audited for legitimacy, scope usage, or dormancy.
No Pre-Approval User Authorization Refresh Token Scope Full API Access Insufficient Scrutiny No Routine Audits
Over-Privileged Salesforce User Accounts
Users targeted by attackers possess API access or permissions associated with Data Loader or bulk export functionality.
Least-privilege principles are not consistently enforced across CRM roles and profiles.
Excessive permissions allow attackers to escalate from reconnaissance queries to full data dumps once access is obtained.
API Access Data Loader Bulk Export No Least-Privilege Excessive Permissions Escalation Risk
Reliance on Legitimate Salesforce APIs for Data Movement
Salesforce APIs and export tools are trusted operational mechanisms and may not trigger alerts when used by authenticated sessions.
Low-volume API queries blend into normal activity, enabling stealthy reconnaissance prior to mass exfiltration.
Large exports are permitted without contextual verification of business necessity.
Trusted APIs Export Tools No Alerts Low-Volume Queries Stealthy Reconnaissance Large Exports Permitted No Context Verification
Limited Detection of Anomalous but "Legitimate" Activity
Security monitoring focuses on failed authentication rather than successful but suspicious OAuth authorizations.
Bulk data exports or unusual query patterns are not correlated with recent app approvals or identity events.
OAuth token persistence enables prolonged access without repeated user interaction.
Failed Auth Focus Suspicious OAuth Ignored No Correlation Token Persistence Prolonged Access
Insufficient Domain and Infrastructure Monitoring
Lookalike domains mimicking Salesforce or enterprise IT environments are not proactively detected or blocked.
Domain impersonation enhances the credibility of phishing and vishing pretexts used to justify app authorization.
Lookalike Domains Domain Impersonation No Proactive Detection Enhanced Credibility
Delayed Awareness of Data Theft and Monetization
Organizations often fail to detect exfiltration, allowing attackers to retain data for extended periods.
Extortion attempts may occur months after compromise, reducing the ability to correlate demands with the initial intrusion.
Undetected Exfiltration Extended Data Retention Delayed Extortion Correlation Challenges

3.0 Historical Exploit Timeline

Scattered LAPSUS$ Hunters (SLH) Timeline - Aug 2025 to Jan 2026
August 2025
Event: SLH Brand Emerges Publicly
First verified Telegram channels appear using the "Scattered LAPSUS$ Hunters" name, explicitly blending reputations of ShinyHunters, Scattered Spider, and LAPSUS$. Brand positioned as an umbrella identity rather than a formal merged group.
SLH Brand Launch Telegram Channels Blended Reputation Umbrella Identity ShinyHunters Scattered Spider LAPSUS$
August–September 2025
Event: Salesforce Named as Victim by SLH
SLH leak channels and messaging reference Salesforce as a primary victim, aligning with contemporaneous Salesforce-focused vishing and OAuth abuse campaigns attributed to ShinyHunters.
Salesforce Vishing Campaign OAuth Abuse Primary Victim Claim
September 2025
Event: Discord Zendesk Breach Disclosed
Discord confirms compromise of its Zendesk-based support system, resulting in theft of sensitive user data. At the time, attribution to a broader Zendesk-focused campaign was unclear but later linked to SLH activity patterns.
Discord Zendesk Support System Compromise User Data Theft Later Linked to SLH
October 2025
Event: Expansion of SLH Brand Affiliations
Trustwave reporting identifies SLH aligning with other "The Com"-adjacent clusters, reinforcing assessment of SLH as a situational alliance and brand container rather than a centralized actor.
Brand Expansion The Com Adjacent Situational Alliance Brand Container Trustwave Report
November 2025
Event: Zendesk Impersonation Campaign Identified
ReliaQuest uncovers 40+ typosquatted Zendesk domains, fake SSO portals, and evidence of fraudulent ticket submission targeting help-desk staff. Activity assessed as consistent with SLH campaign signaling.
Zendesk Impersonation 40+ Typosquatted Domains Fake SSO Portals Fraudulent Tickets Help-Desk Targeting ReliaQuest Report
November 2025
Event: Gainsight Compromise Claimed
SLH publicly claims responsibility for a breach of the Gainsight customer success platform, supporting a pattern of targeting SaaS platforms with downstream customer data access.
Gainsight SLH Claim Customer Success Platform SaaS Targeting Pattern Downstream Data Access
December 2025
Event: SLH Announces Multiple Active Campaigns
Telegram messaging states SLH is "running 3–4 campaigns," warning incident responders to monitor logs through the 2025–2026 holiday period. Indicates intent to sustain simultaneous SaaS-focused operations.
3-4 Active Campaigns Holiday Period Activity Simultaneous Operations SaaS-Focused Public Warning
January 2026
Event: Resecurity "Breach" Claim Disputed
SLH claims full compromise of Resecurity; Resecurity and DataBreaches determine accessed data was synthetic honeypot content. Incident highlights SLH claim inflation and narrative-driven extortion tactics.
Resecurity Claim Disputed Honeypot Data Claim Inflation Narrative-Driven Extortion
January 2026
Event: Continued Public Pressure and Extortion Signaling
SLH maintains leak site presence and Telegram activity, continuing to reference Salesforce, SaaS platforms, and future campaigns into 2026.
Leak Site Active Telegram Activity Salesforce References SaaS Platform Targeting Future Campaigns Extortion Signaling

4.0 Risk and Impact

The risk posed by activity associated with ShinyHunters, Scattered Spider, and the Scattered LAPSUS$ Hunters brand is high, as it exploits legitimate identities and SaaS trust mechanisms rather than software vulnerabilities. By leveraging vishing, OAuth authorization, and federated SSO access, attackers can obtain persistent, authenticated access to Salesforce and other connected platforms while evading traditional perimeter and endpoint controls. Successful compromise enables large-scale exfiltration of sensitive customer, financial, and operational data, often without immediate detection. The impact extends beyond initial data theft, as delayed extortion campaigns, public breach claims, and data resale can amplify regulatory exposure, reputational damage, and financial loss months after the intrusion. As these campaigns target widely adopted SaaS platforms and customer support systems, a single compromised user or workflow can result in disproportionate downstream impact across the organization and its customer base.

5.0 Recommendations for Mitigation

To reduce exposure to vishing-led identity compromise and SaaS data theft associated with ShinyHunters, Scattered Spider, and the SLH ecosystem, organizations should implement layered controls that address both human trust exploitation and abuse of legitimate SaaS authorization mechanisms.

5.1 Reinforce employee awareness around vishing and IT impersonation

  • Conduct targeted awareness messaging that explicitly warns employees and help-desk staff that IT or security teams will never request MFA approvals, OAuth app authorization, or software installation over the phone. Emphasize escalation procedures for suspicious calls rather than compliance under urgency.

5.2 Lock down Salesforce OAuth and connected app authorization workflows

  • Restrict Salesforce-connected app installations and OAuth device flow usage to an explicit administrative allowlist. Disable end-user app self-authorization where possible, and routinely audit connected apps for excessive scopes, such as refresh tokens and full API access. Any newly authorized app should be treated as a high-risk event requiring immediate review.

5.3 Implement identity-centric detection for “legitimate but malicious” access patterns

  • Shift detection logic from failed authentication to successful but anomalous behavior, including MFA success immediately followed by new OAuth app approval, bulk API exports, or off-hours Salesforce data access. Correlate identity events with SaaS telemetry to identify abuse of valid sessions rather than intrusion attempts.

5.4 Harden help-desk and support platform workflows as Tier-1 attack surfaces

  • Treat Zendesk and similar customer support platforms as privileged systems. Limit which roles can process account recovery, credential resets, or sensitive attachments; require secondary verification for administrative actions; and monitor for fraudulent ticket submissions designed to deliver malware or harvest credentials.

5.5 Proactively disrupt attacker credibility through domain and infrastructure monitoring

  • Monitor for and rapidly block look-alike domains impersonating Salesforce, Zendesk, or internal IT portals. Early detection of typosquatted infrastructure can disrupt vishing and phishing pretexts before employees are contacted, reducing the success rate of social engineering campaigns.

6.0 Hunter Insights

Federated SaaS intrusions tied to ShinyHunters, Scattered Spider, and the Scattered LAPSUS$ Hunters brand are likely to solidify into a mature “identity‑first” access and extortion ecosystem over the next 12–24 months, with SSO and support platforms at the center rather than traditional perimeter exploits. Expect expansion of real‑time phishing and vishing kits against Okta, Entra, and Google SSO, broader targeting of SaaS platforms like Salesforce, Zendesk, Gainsight, and similar CX/CRM ecosystems, and more frequent use of federated branding (such as SLH) to market “access‑as‑a‑service” and amplify coercive pressure while obscuring which underlying crews actually executed the intrusion. These actors will likely refine their tradecraft around OAuth and delegated flows, insider facilitation, AI‑assisted voice social engineering, and infrastructure camouflage (rapidly rotating but thematically consistent domains and messaging channels), making it harder for defenders to distinguish malicious but valid logins and data exports from normal operations.

For defenders, this trajectory means shifting cyber threat intelligence and detection priorities from single‑platform compromise toward the whole identity and SaaS trust chain. High‑value collection and monitoring areas include: federated‑brand infrastructure and personas rather than group names alone; identity‑centric precursors like risky OAuth grants, anomalous but successful MFA and SSO events, and first‑time bulk exports from SaaS APIs; and the Com–adjacent social and extortion channels that signal upcoming campaigns and narrative manipulation, including exaggerated or partially fabricated breach claims. Organizations should plan on multi‑tenant, customer‑impact scenarios as the default outcome of a single identity compromise, treat help‑desk and customer support platforms as Tier‑1 assets, and build playbooks that account for long‑tail extortion and public signaling well after the initial intrusion window.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.